C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y

IMPLEMENTING THE NECP WEBINARS

HOW DOES YOUR AGENCY IMPROVE ITS

CYBERSECURITY POSTURE? IMPLEMENT THE NIST

CYBERSECURITY FRAMEWORK

JULY 2020

1

C Y B E R S E C U R I T Y &

I N F R A S T R U C T U R E

S E C U R I T Y A G E N C Y

Agenda

CISA is an operational agency within

the Department of Homeland Security

(DHS) that serves as the nation’s

infrastructure risk advisors

▪ Webinar Overview and Objectives

▪ National Emergency Communications Plan (NECP)

and SAFECOM Nationwide Survey (SNS):

Cybersecurity

▪ National Institute of Standards and Technology (NIST)

Cybersecurity Framework

▪ Resources and Actions

▪ Question and Answer Session

2

3

Webinar Objectives

▪ Discuss the impact of cybersecurity on

emergency communications

▪ Use the NECP to learn practical solutions to

enhance cybersecurity risk management

practices

▪ Gain an understanding of how to implement

the NIST Cybersecurity Framework to

mitigate cyber risk

▪ Provide links to CISA Central and other

CISA resources you can use to mitigate

cyber risk

C Y B E R S E C U R I T Y &

I N F R A S T R U C T U R E

S E C U R I T Y A G E N C Y

Presenters

Katharine Willers

Emergency Communications

Cybersecurity and Infrastructure Security Agency

Amy Mahn

Applied Cybersecurity Division

National Institute of Standards and Technology

4

National Emergency Communications Plan

5

CISA is an operational agency within

the Department of Homeland Security

(DHS) that serves as the nation’s

infrastructure risk advisors

5

NECP Goals

Goal 1: Governance and Leadership

Develop and maintain effective emergency communications

governance and leadership across the Emergency

Communications Ecosystem

Goal 2: Planning and Procedures

Develop and update comprehensive emergency

communications plans and procedures that address the

evolution of risks, capabilities, and technologies across the

Emergency Communications Ecosystem

Goal 3: Training, Exercises, and Evaluation

Develop and deliver training, exercise, and evaluation

programs that enhance knowledge and target gaps in all

available emergency communications technologies

Goal 4: Communications CoordinationImprove effective coordination of available operable and

interoperable public safety communications capabilities

for incidents and planned events

Goal 5: Technology and Infrastructure

Improve lifecycle management of the systems and

equipment that enable emergency responders and public

safety officials to share information efficiently and

securely

Goal 6: Cybersecurity

Strengthen the cybersecurity posture of the Emergency

Communications Ecosystem

NECP Vision: To enable the Nation’s emergency response community to communicate and share information securely across

communications technologies in real time, including all levels of government, jurisdictions, disciplines, organizations, and citizens

impacted by any threats or hazards event

6

Cybersecurity Overview

▪ Cybersecurity is a shared mission across all levels

of government, the private sector,

nongovernmental organizations, and the public

▪ Cyber threats are now more complex and

sophisticated and have become one of public

safety’s greatest operational risks

▪ The number of incidents is on the rise with

significant consequences on emergency

communications systems

▪ The SNS found that 37% of public safety

organizations have been impacted by a

cybersecurity disruption

Public Safety Cyber Incidents

• Madison, Wisconsin Distributed Denial-of-

Service Attack - the city’s internet-connected

emergency communications system was

crippled which impeded emergency

responders’ ability to connect to the 9-1-1

Center and slowed down the system used to

automatically dispatch responders to

emergencies.

• Texas Ransomware Attack– more than 20

entities (mostly small, rural local

governments) were hit with a ransomware

attack; the victims were able to recognize the

incident as ransomware and self-reported the

attacks, resulting in a successful coordinated

state and federal response

7

SAFECOM Nationwide Survey

8

▪ The 2018 SNS was a data collection

initiative that supported the content and

recommendations of the NECP

▪ The SNS consisted of 38 questions that

span the 5 elements of the SAFECOM

Interoperability Continuum, plus a security

element that accounted for cybersecurity

▪ Findings from the SNS gauge the status of

the Nation’s emergency communications

capabilities and helped inform the NECP’s

goals, objectives, and success indicators

8

SNS: Cybersecurity Planning

Elements that Organizations Incorporate into Cybersecurity Planning

▪ 46% of organizations do not incorporate the listed cybersecurity measures into their

cybersecurity planning

▪ 62% of fire departments indicated that they do not conduct any cybersecurity planning

▪ Almost 60% of public safety disciplines located in rural areas do not participate in

cybersecurity planning

Disciplines

Cybersecurity Planning

None of the Above

Geographies

Cybersecurity Planning

None of the Above

9

SNS: Cybersecurity Funding

Funding for Cybersecurity▪ Over 55% of organizations

indicated that they don’t have

funding for cybersecurity

capital investments

or operating and maintenance

costs

▪ Additionally, 26% of

organizations indicated that

their cybersecurity funding is

insufficient to meet their needs

10

SNS: Cybersecurity Additional Insights

30%

18%

10%

8%

5%

4%

3%

2%

CRIMINAL JUSTICE INFORMATION SERVICES (CJIS) GUIDANCE

COMMUNICATIONS SECURITY, RELIABILITY, AND INTEROPERABILITY COUNCIL'S (CSRIC) …

DHS COMMUNICATIONS SECTOR-SPECIFIC PLAN (CSSP)

EMERGENCY SERVICES SECTOR ROADMAP TO SECURE VOICE AND DATA SYSTEMS

INFORMATION SHARING AND ANALYSIS CENTERS (ISAC)

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) CYBERSECURITY …

INFORMATION SHARING AND ANALYSIS ORGANIZATIONS (ISAO)

NATIONAL CYBER INCIDENT RESPONSE PLAN (NCIRP)

Topics Included in SOPs Topics Included in Emergency Communications

Training

▪ Organizations reported that cybersecurity is not prioritized as a topic for Standard Operating

Procedures (SOPs) and is not included in Training and Exercise topics

67%

59%

47%

20%

18%

18%

16%

15%

9%

LAND MOBILE RADIO (LMR)

ALERTS, WARNINGS, ANDNOTIFICATIONS

SOCIAL MEDIA

NEXT GENERATION 911 (NG911)

PRIORITY SERVICES

BROADBAND

CYBERSECURITY

PROJECT 25 ENCRYPTION

NONE OF THE ABOVE

85%

78%

66%

64%

28%

24%

21%

15%

9%

7%

2%

NATIONAL INCIDENT MANAGEMENT …

RADIO ETIQUETTE AND TERMINOLOGY

COMMONLY USED FREQUENCIES

EQUIPMENT TRAINING/REFRESHER

INTEROPERABILITY PLANS AND …

SOFTWARE TRAINING/REFRESHER

BACKUP SYSTEMS

COMMUNICATIONS UNIT (COMU)

CYBERSECURITY

NATIONAL INTEROPERABILITY FIELD …

NONE OF THE ABOVE

Cybersecurity Guidelines and Standards Influencing SOPs

11

NECP Success Indicators: Cybersecurity

▪ Implement the National Institute of Standards and

Technology (NIST) Cybersecurity Framework[1]

▪ Perform a Cyber Resilience Review

▪ Include cybersecurity representatives in governance

bodies

▪ Educate public safety agencies on cybersecurity risk

mitigation

▪ Update training and exercise programs to address

cybersecurity

▪ Develop and maintain a cyber incident response plan in coordination with the

Statewide Interoperability Coordinator and information technology administrators

Percentage of Public Safety Organizations Whose

Communications Have Been Impacted by

Cybersecurity Breaches at Some Point in the Last

5 Years

12

NIST Cybersecurity FrameworkJuly 2020

Cybersecurity and the Economy

As technology becomes further integrated into consumers

lives ensuring that trust becomes more critical, and

solutions need to be market-based to scale.

Without trust in the underlying technology,

Consumers will be reluctant

to adopt new applications

Industry will be reluctant to

invest in new infrastructure

Innovators will be reluctant to

offer new ideas

Security is about trust: can technology be used for its

desired purpose without undue risk?

14

Cybersecurity at NIST

• Role in cybersecurity began in 1972 with the development of the Data Encryption Standard

• Using widely-accepted standards helps create competitive markets around market need through combinations of price, quality, performance, and value to consumers.

• Ensure timely availability of standards, and associated testing,;

• Achieve cost-efficient, timely and effective solutions to legitimate regulatory, procurement and policy objectives;

• Promote standards and standardization systems that enable innovation and foster US competitiveness; and

• Facilitate international trade and avoid the creation of unnecessary obstacles to trade.

15

Cybersecurity Framework History

• February 2013 - Executive Order 13636: Improving

Critical Infrastructure Cybersecurity

• February 2014 – Version 1.0 of the Cybersecurity

Framework released

• December 2014 - Cybersecurity Enhancement Act of

2014 (P.L. 113-274)

• May 2017 - Executive Order 13800: Strengthening the

Cybersecurity of Federal Networks and Critical

Infrastructure

• April 2018 – Version 1.1 of the Cybersecurity Framework released 16

Cybersecurity Framework StructuresThe Core provides an increasingly granular set of activities

and outcomes that enable an organizational dialogue

about managing privacy or cybersecurity risk, based on

international standards

Profiles are a selection of specific

Functions, Categories, and Subcategories

from the Core that the organization has

prioritized to help it manage cybersecurity

risk

CURRENT

TARGET

Implementation Tiers help an organization communicate

about whether it has sufficient processes and resources in

place to manage cybersecurity risk and achieve its Target

Profile 17

Key Framework AttributesPrinciples of Current and Future Versions of the Framework

• Common and accessible language

• It’s adaptable to many technologies,

lifecycle phases, sectors and uses

• It’s risk-based

• It’s based on standards

• It’s a living document

• Guided by many perspectives – private

sector, academia, public sector

18

An Excerpt from the Framework Core

5 Functions 23 Categories 108 Subcategories 6 Informative

References

19

Sample Resourceswww.nist.gov/cyberframework/framework-resources

Financial Services ProfileFinancial Services Sector Specific Cybersecurity “Profile”

Manufacturing ProfileNIST Discrete Manufacturing

Cybersecurity Framework Profile

Maritime ProfileBulk Liquid Transport Profile

20

International UseSome Translations and Adaptations World-Wide

21

Resources

Website

• https://nist.gov/cyberframework

Contact

• cyberframework@nist.gov

Stay Up to Date

• @NISTcyber

22

Additional Resources

23

▪ CISA Central

▪ CISA Cyber Resource Hub and CISA Alerts & Tips

▪ SAFECOM Nationwide Survey Results

▪ National Emergency Communications Plan

▪ NIST Cybersecurity Framework (NIST and CISA resources)

▪ DHS Cybersecurity Services Catalog for State, Local, Tribal, and Territorial

Governments [Note: Change to Tools Fact Sheet if published by then]

▪ SAFECOM and National Council of Statewide Interoperability Coordinators Resources

▪ Emergency Communications Technical Assistance and Planning Guide

▪

▪ Take steps for your organization or

jurisdiction to implement the NECP and

achieve its success indicators

▪ Implement the NIST Cybersecurity

Framework

▪ Download the CRR Self-

Assessment Package or contact

the CISA Cybersecurity Advisor to schedule

an on-site visit to your organization

How You Can Take Action

24

How You

25

Questions?

Upcoming Webinars

26

NECP Team

CISA Emergency Communications

Email: NECP@cisa.dhs.gov

27